Risk Management in 2009 – Reflections

Perhaps we will look back at 2009 and recall that it is the turning point year for Risk Management.  The year that boards ans management and regulators all at once embraced ERM and really took it to heart.  The year that many, many firms appointed their first ever Chief Risk Officer.  They year when they finally committed the resources to build the risk capital model of the entire firm.

On the other hand, it might be recalled as the false spring of ERM before its eventual relegation to the scrapyard of those incessant series of new business management fads like Management by Objective, Managerial Grid, TQM, Process Re-engineering and Six Sigma.

The Financial Crisis was in part due to risk management.  Put a helmet on a kid on a bicycle and they go faster down that hill.  And if the kid really doesn’t believe in helmets and they fail to buckle to chin strap and the helmet blows off in the wind, so much the better.  The wind in the hair feels exhilarating.

The true test of whether the top management is ready to actually DO risk management is whether they are expecting to have to vhange some of their decisions based upon what their risk assessment process tells them.

The dashboard metaphor is really a good way of thinking about risk management.  A reasonable person driving a car will look at their dashboard periodically to check on their speed and on the amount of gas that they have in the car.  That information will occasionally cause them to do something different than what they might have otherwise done.

Regulatory concentration on Risk Management is. on the whole, likely to be bad for firms.  While most banks were doing enough risk management to satisfy regulators, that risk management was not relevant to stopping or even slowing down the financial crisis.

Firms will tend to load up on risks that are not featured by their risk assessment system.  A regulatory driven risk management system tends to be fixed, while a real risk management system needs to be nimble.

Compliance based risk management makes as much sense for firms as driving at the speed limit regardless of the weather, road conditions or the conditions of the car’s breaks and steering.

Many have urged that risk management is as much about opportunities as it is about losses.  However, that is then usually followed by focusing on the opportunities and downplaying the importance of loss controlling.

Preventing a dollar of loss is just as valuable to the firm as adding a dollar of revenue.  A risk management loss controlling system provides management with a methodology to make that loss prevention a reliable and repeatable event.  Excess revenue has much more value if it is reliable and repeatable.  Loss control that is reliable and repeatable can have the same value.

Getting the price right for risks is key.  I like to think of the right price as having three components.  Expected losses.  Risk Margin.  Margin for expenses and profits.  The first thing that you have to decide about participating in a market for a particular type of risk is whether the market in sane.  That means that the market is realistically including some positive margin for expenses and profits above a realistic value for the expected losses and risk margin.

Most aspects of the home real estate and mortgage markets were not sane in 2006 and 2007.  Various insurance markets go through periods of low sanity as well.

Risk management needs to be sure to have the tools to identify the insane markets and the access to tell the story to the real decision makers.

Finally, individual risks or trades need to be assessed and priced properly.  That means that the insurance premium needs to provide a positive margin for expenses and profits above the realistic provision for expected losses and a reasonable margin for risk.

There were two big hits to insurers in 2009.  One was the continuing problems to AIG from its financial products unit.  The main lesson from their troubles ought to be TANSTAAFL.  There ain’t no such thing as a free lunch.  Selling far out of the money puts and recording the entire premium as a profit is a business model that will ALWAYS end up in disaster.

The other hit was to the variable annuity writers.  In their case, they were guilty of only pretending to do risk management.  Their risk limits were strange historical artifacts that had very little to do with the actual risk exposures of the firm.  The typical risk limits for a VA writer were very low risk retained from equities if the potential loss was due to an embedded guarantee and no limit whatsoever for equity risk that resulted in drops in basic M&E revenue.  A typical VA hedging program was like a homeowner who insured every item of his possessions from fire risk, but who failed to insure the house!

So insurers should end the year of 2009 thinking about whether they have either of those two problems lurking somewhere in their book of business.

Are there any far out of the money risks where they are not appropriately aware of the large loss potential ?

Are there placed where risk limits are based on tradition rather than on risk?

Have a Happy New Year!

Enduring Fundamentals in a ‘Relocated World’ (Recovering From This Dislocation)

From Mike Cohen

“Where do we go from here, and what have we learned to help us arrive there safely and prosperously?” What risk management lessons have been learned?

Dislocations have occurred many times in history, and have occurred in many societal areas, changing many aspects of life profoundly:

- Economy: Agrarian, manufacturing, technology, service

- Military history: Strategies/tactics, weaponry

- Social/family mores: Many, many variations with intensely personal and emotional elements

- Political systems: Capitalism vs. socialism, big vs. small government, government leadership vs. self-determination

Dislocations will, without question, continue to occur in the future, and just as surely manifest themselves in unpredictable ways. Survivors, and ideally ‘thrivers’, will understand when dislocations occur and make the changes necessary to operate well in their new environments.

There are a number of business and societal behaviors that have been culpable in contributing to the interim demise of our socio-economic system:

- Greed

- Poor analysis

- Nonchalance

They are not effective, and have eerie parallels to the seven deadly sins.

While many aspects of our personal and business lives have changed, certain themes remain the same. Righting the ship will be driven by adherence to a number of fundamentals that have driven our success over history and will drive our success in the future.

1) Responsibility and trust: Our actions … what we say and what we do … are our legacy. Do we stand behind them in terms of honesty and wisdom?

Kahlil Gibran, in his epic work ‘The Prophet’, said that “You are the bows from which your children as living arrows are sent forth.” Quite so, but we need to make sure our aim is straight and sure. Our children are our most sacred trust, the most important manifestations of our legacy. Our actions are right along side in terms of importance.

2) Be ‘students’ of what we do:

- What is the purpose of our actions? What are we trying to accomplish?

- Are people or institutions going to be hurt by what we are doing?

- What risks are we taking?

- Functions of all kinds … how do they need to be performed?

3) How do our products work? What needs and wants do they satisfy? In life insurance, for example, those needs and wants to be satisfied are:

- Protection

- Asset accumulation

- Transactions

- Advice:

* Our financial world has never been more complicated and uncertain, and customers (both individuals and corporations) have never had a greater need for guidance

* ‘Caveat emptor’ (let the buyer beware) – Is this too difficult a burden for the consumer of the 21^st century?

4) What do corporations need to do to succeed?

- Satisfy their customers’ needs and wants, more effectively and efficiently than their competitors can

- Manage the profit characteristics, for themselves and their customers, well

- Understand the risks in their enterprise, and ensure that they don’t interfere with the interests of their stakeholders

- Operate with integrity and transparency

We have recovered from dislocations in the past; we’re here, aren’t we? Understanding change, that it will always be occurring and how changes have manifested themselves, is critical to our evolution. Not recovery, but evolution. If we forget history, then we are doomed to repeat it. The same is true for understanding history, although the understanding of history is affected by the authors who report it. “How was your vacation?” “I don’t know. I have to wait to see the pictures”

We will solve the major issues confronting our financial system, but we will in all likelihood come out the other end in a very different place.

You may not be able to Grow out if it

Growth does not always mean excessive risk, but excessive risk is almost always associated with high growth.

Growth has a way of masking problems.  Things are changing and it is often very difficult to understand whether the changes are just a lag in reporting the good things that come from healthy growth or if they are leading indicators of major problems.

The firm needs to grow risk management analysis and attention along with highest growth activities.  That needs to be demanded from the top.  No middle or even high level risk officer will ever have the authority to slow down the part of the company that is growing the best.  Firms need to have CEO commitment to extra risk analysis of the fastest growing business.

The firm needs to establish its operational capacity for handling growth.  The most common reaction to unexpected growth is to delay hiring additional staff (along with delaying adding additional risk staff as mentioned above).  After more delay and more growth, the business might seem much more profitable than expected.  Some of that excess profitability is coming from the understaffing.  Some of the profitability might be coming from mistakes in recordkeeping due to the understaffing.  A sudden delayed effort to fix the under staffing will most often hurt more than it helps in the short run.

And what is most likely to be shortchanged in an understaffed growing situation  Why it is quality control and recordkeeping.  So if there is a growing problem it is very hard to notice it.

So what to do?

Every great mistake has a halfway

moment, a split second when it can be

recalled and perhaps remedied.

Pearl Buck

Part of the process of planning for each new thing that might grow, if it is as successful as is hoped, needs to be to determine where that halfway moment might be.

Risk Intelligence

Nick sent out a link to a test that you can take that measures Risk Intelligence

http://www.projectionpoint.com/

Try it…  I believe that it does give some insight to a different aspect of intelligence that is needed for good risk management.

I would not say that it suggests anything new.  In fact, it seems to link Risk Intelligence back to the ancient inscription at the Oracle of Delphi,

KNOW THYSELF

To be able to understand RISK, that is a good first step, to be able to distinguish between things that you know and things that you do not know are true. I would suggest that is pretty basic for success in any endeavor, including risk management.

However, I would suggest a slightly different standard as the most important kind of intelligence needed for risk management. That would be the ability to

Distinguish between Future Events that are Certainties and Future Events that are Uncertain.

Distinguish between RISK and UNCERTAINTY in a Knightian sense for the Uncertain events.

Remember after the fact that at some past time, when a decision had to be made, the future events that we now all know to be certain because they have happened, were uncertain.

But those conditions seem like boundary conditions – there is no Risk Intelligence if those conditions are not met.

Real Risk Intelligence would then be the ability to make reliable estimates of the likelihood of Uncertain Events.

Real Risk Intelligence would need to be scored as the Projection Point test is scored, that is against a scale that incorporates the idea that answers are not right or wrong, but that acknowledges that probabilistic answers should be scored on a curve (actually they use a diagonal) that reflects the likelihood as well as the outcome.

I would suggest that taking the Projection Point Risk Intelligence Test is worth the 10 minutes that it takes.  But it is the beginning rather than the end of investigation into the idea of Risk Intelligence.

Does Bloomberg Understand Anything about Risk Management?

On December 18, Bloomberg posted a story about losses on interest rate swaps at Harvard.   The story says that in 2004, Harvard entered into long term swaps to lock in future rates for planned borrowing.  That seems like ok risk management.  But as it happened, interests did not rise, they fell.  So the hedge was not needed.  They type of hedging strategy that they chose had no initial cost.  The cost of risk management was incurred only if the hedged event did not happen.   If interest rated did risk, then the swaps would have resulted in a gain so that Harvard’s costs were limited to a predetermined amount.  If Interest rates fell, then Harvard would pay on the swaps, but save on the interest costs, bring the sum of interest paid on their borrowing and the swap payments to a fixed predetermined total in all cases. 

However, Bloomberg chooses to say is this way:

Harvard was betting in 2004 that interest rates would rise by the time it needed to borrow.

The bulk of the story is about how Harvard lost their “bet” and how much money that they lost because they lost the “bet” when interest rates fell, and Harvard had to postpone their planned borrowing. 

No wonder it is difficult for firms to disclose any information about actual risk management actions and plans.  If a reasonable, but not perfect risk management action is seen as a “bet”, rather than a move to stablize interest costs. 

Every risk management action will have a cost.  Harvard’s real bad move, similar to the one by Soc Gen in January 2008, the choice to lock in losses, and at the worst time.  Interest rates cannot go below zero, so there is absolutely no reason to get out of those swaps, unless their cashflow was so, so poor that they had no way to pay the monthly interrest swap amount (even though they somehow had the cash to settle all of the swaps, presumably paying the present value of the long term swap amounts as viewed at a time ov very low interest rates).  

Their other bad move was to fail to hedge the possibility that they would not even do the project and therefore not need the hedge.  To identify how to hedge that situation, they would have had to do some scenario testing of scenarios of extreme losses in their endownment that would have resulted in the situation that they now find themselves.  That analysis should have resulted in some far out of the money hedges on the investments in Harvard’s portfolio.  And the fact that much of their portfolio may be unhedegable should have been a warning about the wisdom of making forward committments like the swaps that presume that the endownment will not tank. 

Seeing how wrongheaded the coverage of the transactions was, Harvard probably felt that they had long term reputational risk from paying the monthly payments. 

Alternately, if as the article says, the swap markets are so much more liquid at periods for up to 3 years, they why didn’t they enter into trades to reverse the first 3 years of the payments?

No matter what the market says right this minute, I find it hard to believe that interest rates for Harvard will never again reach 4.72% that the swaps were locking in as the rate. 

But that is not the point.  The point is that Bloomberg reports Risk Management as a “bet” implying that lack of risk management is not a “bet”. 

But, how many companies are implicitly taking a “bet” that the future will never get worse than the present by not hedging anything? 

Why is that NEVER a story?

ReCapitalization Fantasy

Guest Post from Larry Rubin

I question whether sufficient attention is being paid to the definition of risk in most risk measures and in solvency II. In this case the use of 1-year VAR. Insurance companies makes long term promises as compared to other financial institutions. Yet we have seen the inadequacies of this risk measure for these other institutions. 1-year VAR is based on the assumption that if a company can survive a year it can re-capitalize. The credit crisis has shown that in a period of economic distress when it is most likely that many companies will be “in the tail” the ability to re-capitalize is suspect if non-existent. Companies such as, Lehman Brothers, Northern Rock, AIG and INDYMac could not re-capitalize. Bear Stearns, Merrill Lynch and WaMU required government support to facilitate the sale of their liabilities.
I believe one of the lessons of the credit crisis is that is that either the 1-year VAR analysis needs to reflect the potential drying up of capital during a tail event or insurance companies need to re-think the 1-year VAR measure. US Risk Based Capital, while an imperfect measure, has had ruin theory as its fundamental premise. This measure has held up well as most US life insurance operating companies maintained sufficient capital to survive to the point where it was possible to re-capitalize

Larry H. Rubin

Live Ammunition

Are you working with live ammunition with your risk management program?

What I mean is, when the risk models and the risk reports show a problem, is the reaction to promptly fix the problem, or is the reaction to start a study of the problem?

The question really is whether the risk management information streams are considered primary information for managing the firm or are they secondary systems?

If the reaction to an indication of a problem from the risk management systems is to initiate a study, then the implied presumption is that the real information systems say that everything is ok, and this secondary system says not. So we need to check this out.

Many commentators about risk management have been calling for “RISK” to be given authority. What I think that means is that RISK would be empowered to act when the risk management system tells of a problem. RISK would order that something be bought or sold or whatever to fix the problem.

I think that the presumption there is that there is no possibility that anyone other than RISK would actually ever act upon a warning from the risk management systems. So if risk management is to be taken seriously, then it must be for RISK to do that.

Well, wouldn’t it be much better if the risk management information was considered to be a primary information source for the folks who actually run the businesses? Think about it. If you run a bus company and want the drivers to stay within the speed limit, do you put someone in the back of the bus with a speedometer and a break pedal who will step on the brake whenever the bus starts to go too fast? Or do you train the bus driver to use the brake pedal herself?

Risk Management needs to be everyone’s job. If the CEO of the firm is not willing to hold business managers responsible for risk, then he really does not want risk management.

The job of RISK is not to over ride the bus drivers, it is to make sure that the speedometers and brakes work right, that the acceleration pedal does not stick down and that the driver is well trained in how to interpret the speedometer and use the brakes in the right way. RISK keeps the CEO and the Board informed about the effectiveness of the risk management system and helps top management to understand the risk reward choices that they are faced with when the major decisions about the firm’s future are being made.

Violator of Risk Limit

 

This may not be your corporate policy.  But you should be clear to all whether your risk limits are hard, soft or gigantic. 

A Hard risk limit is one where there just may be a rock and a snake for the violator.  Violations of limits are not expected to happen in a system with hard risk limits.  So maybe no one knows what the consequences are.  In systems with very hard limits, a system of “checkpoints” may develop that are actually soft limits that help managers to avoid coming too close to the hard limits.  These firms may have rules like “violations of limits must be reported to the board at the very next meeting”.  In addition, there may be a hard requirement to reverse or offset the actions that led to the violation within some short period of time, sometimes something like 72 hours. 

A Soft risk limit is very much the opposite.  Violation of a soft risk limit might most often result in raising the limit.  Or violations may simply be allowed to stand without any special notice or attempt to reverse.  A more diciplined soft limit system may track the number of violations and use the count of violations as an indication of potential issues. 

A Gigantic risk limit is very common.  There is no need to decide whether a Gigantic risk limit is hard or soft, because there is little chace that the firm will ever approach the limit.  Gigantic limits are often 200% or more than expected positions.  Commonly, Gigantic limits are are found in formal investment policies of firms or funds.  These are deliberately set so high that they will not get in the way of day to day operations of the investment managers, even if they want to make significant changes to the make-up of the fund.  Unfortunately, many firms have not yet realized that these policy limits are not useful risk limits.  But they do save money on snakes.

Risk Management Changed the Landscape of Risk

The use of derivatives and risk management processes to control risk was very successful in changing the risk management Landscape.

But that change has been in the same vein as the changes to forest management practices that saw us eliminating the small forest fires only to find that the only fires that we then had were the fires that were too big to control.  Those giant forest fires were out of control from the start and did more damage than 10 years of small fires.

The geography of the world from a risk management view is represented by this picture:

The ball represents the state of the world.  Taking a risk is represented by moving the ball one direction or the other.  If the ball goes over the top and falls down the sides, then that is a disaster.

So risk managers spend lots of time trying to measure the size of the valley and setting up processes and procedures so that the firm does not get up to the top of the valley onto one of the peaks, where a good stiff wind might blow the firm into the abyss.

The tools for risk management, things like derivatives with careful hedging programs now allowed firms to take almost any risk imaginable and to “fully” offset that risk.  The landscape was changed to look like this:

Managers believed that the added risk management bars could be built as high as needed so that any imagined risk could be taken.  In fact, they started to believe that the possibility of failure was not even real.  They started to think of the topology of risk looking like this:

Notice that in this map, there is almost no way to take a bog enough risk to fall off the map into disaster.  So with this map of risk in mind, company managers loaded up on more and more risk.

But then we all learned that the hedges were never really perfect.  (There is no profit possible with a perfect hedge.)  And in addition, some of the hedge counterparties were firms who jumped right to the last map without bothering to build up the hedging walls.

And we also learned that there was actually a limit to how high the walls could be built.  Our skill in building walls had limits.  So it was important to have kept track of the gross amount of risk before the hedging.  Not just the small net amount of risk after the hedging.

Now we need to build a new view of risk and risk management.  A new map.  Some people have drawn their new map like this:

They are afraid to do anything.  Any move, any risk taken might just lead to disaster.

Others have given up.  They saw the old map fail and do not know if they are ever again going to trust those maps.

They have no idea where the ball will go if they take any risks.

So we risk managers need to go back to the top map again and revalidate our map of risk and start to convince others that we do know where the peaks are and how to avoid them.  We need to understand the limitations to the wall building version of risk management and help to direct our firms to stay away from the disasters.

Commentary on Timeline of the Global Financial Crisis

Link to Detailed Timeline

The events of the past three years are unprecedented in almost all of our lifetimes.  One needs to go back and look at how much was happening in such a short time to get an appreciation of how difficult it must have been to be in the hot seats of government, central banks and regulators, especially during the fall of 2008.

On the other hand, it is pretty easy, with 20-20 hindsight, to point to events that should have made it clear that something bad was on its way.

The timeline that is posted here on Riskviews is an amalgam from 5 or 6 different sources, including the BBC, Federal Reserve and Wikipedia.  None of them seemed to be very complete.  Not that this one is.  My personal biases left out some items from all of the sources.

Let us know what was left out that is important.  This timeline was created over a one year period and there was little effort to go back and pick up items that did not seem important at the time, but that later were found to be early signals of later big problems.

The reaction that I have had when I used this timeline to make a presentation about the Financial Crisis is that it is pretty unfair to go pointing fingers about actions taken during the fall of 2008.  When you look at the daily earth shaking events that were happening, it is really totally overwhelming, even a year later.  If the events that occured daily were spread out one per month, then perhaps a case could be made that “they” should ahve done better.

Going back much further, I am not willing to be quite so kind.  This crisis was manufactured by collision of two deliberate government policies – home-ownership for all and deregulation of financial markets.  That collision was preventable.  Neither policy had to be taken to the extreme that it was taken – to what looks now like an absurd extreme in both cases.

And in addition, the financial firms themselves are far from blameless.  Greenspan’s belief that the bankers were capable of looking out for their shareholder’s best interest was correct.  They were capable.

Read the history.  See what happened.  Decide for yourself.  Let me know what I missed.

Link to Detailed Timeline